There was a workshop on the Economics of Information Security held at Cambridge in England last June. Studying the economics of information security is, to me, absurdly trivial. It is like studying the economics of operating a trading desk, an interesting pursuit for the accountants at Schwab and eTrade but completely irrelevant to what is going on in the real economy.

Looking at cost trade-offs between help-desk support and investments in antispyware may be a valuable study for someone who is responsible for the help desk or the vendor selling antispyware software, but it contributes nothing to an understanding of the origins of spyware in the first place. And, it would not produce insight about how to combat the scourge.

Cybercrime is now the primary threat to not only our computing infrastructure but our business processes and in some cases our businesses. Understanding the economics of cybercrime will be fundamental to making investments in security technologies as well as drafting new legislation and engaging international law enforcement efforts.

I was recently asked to join a workshop on modern malware hosted by the Santa Fe Institute and co-chaired by Matt Williamson, principal research scientist from Sana Security, and Esther Dyson. It was a two-day session with no fixed agenda or goal other than bringing together malware researchers, policy makers and security practitioners to try to understand where the battle is heading. I can sum up the overall sense that was shared by the participants at the end of the second day: This is a war. The enemy is organized, well financed and smart. Reactive measures such as research and signature generation are falling behind. Most important, when this workshop convenes again, at least half the time and effort should be devoted to understanding the economics of cybercrime.